
ST9-98-094 



What is claimed is: 



A storage system comprising: 

a first storage area having an object stored therein; and 
assecond storage area having stored therein an object identifier that identifies 
the object, wherein the object identifier is unique within and outside of the storage 
system. 

2. The storage systens^ of clainiM, wherein the object identifier is a Universal 
Unique Identifier (UUID). 

3. The storage system of clai^ I'S^herein the first and second storage areas are 
storage areas within a database 

4. The storage system of claiih^3, wherein th^bject identifier is a Universal 
Unique Identifier (UUID). 



5. The storage system of claim ^wherein the storage syst^n is part of an access 
control system. 
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v6. 



A memory comprising: 

a first storage area having an object stored therein; and 
a second storage area having stored therein an object identifier that identifies 
the objec\ wherein the object identifier is unique within and outside of the storage 
system. 

7. The memory \f claib5^6, wherein the object identifier is a Universal Unique 
Identifier (UUID). 




8. The memory of claim 6,\herein the first and second storage areas are storage 
areas within a database structure. 




9. The storage system ofs^laim 8, wherein the object identifier is a Universal 
Unique Identifier (UUID). 



10. A method of storing information in a storage sys|em, compnsmg: 

storing an object in the storage system; and 

storing an object identifier in the storage system, wherein the object identifier 
identifies the object, and the object identifier is unique within andSputside of the 
storage system. 
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J 1 . The method of cl^ihs^lO, wherein the object identifier is a Universal Unique 
Id^tifier (UUID). 

12. Tfte method of clainiMO, wherein the object is stored in a database. 

13. The metlW of cl^^lO, wherein the object identifier is stored in a database. 

14. The method of C{ahp 12, wherein the object identifier is a Universal Unique 
Identifier (UUID). 

15. The method of clai\D,Yherein the object identifier is a Universal Unique 
Identifier (UUID) 




16. The method of claiimlO, wherein t\e storage system is part of an access 
control system. 



17. An access control method comprising: 

requesting access for a user to a remote resource,, wherein the request includes 
a subject identifier for use in making an access control decision, and wherein the 
subject identifier is unique within and outside of the remote resource and identifies 
the user. 
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Is8. The access control method of claim 17, wherein the subject identifier is a 
Universal Unique Identifier (UUID). 



19. Th^ access control method of clam^lS, wherein the request further includes a 
subject descriptor for use in the access control decision. 



20. The access cot^trol method of clafi;^ 19, wherein the subject descriptor is a 
UUID for an organizational structure that includes the user. 



21. The access control meth\d of cl^n^l9, wherein the access control decision is 
made by a resource manager that protects the remote resource, and the request is sent 
over a communications path considered safe by the protecting resource manager and 
the user. 



22. A computer-readable medium having com^puter-executable code stored 
thereon, comprising: 

computer instructions for requesting access for kuser to a remote resource, 
wherein the request includes a subject identifier for use in na^ng an access control 
decision, and wherein the subject identifier is unique within and outside of the remote 
resource and identifies the user. 
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2X The access control method of claim 17, wherein th^e subject identifier is a 
UnivWsal Unique Identifier (UUID). 



24. A method of identifying a user requesting access to an object, comprising: 
establishmg a secure communication path between a reference monitor 

protecting the object and a resource manager having information describing the user, 

in response to a request dV the user to access the object; 

sending a request for user information from the protecting reference monitor 

to the resource manager, the requi^t including a subject descriptor for the user, 

wherein the subject identifier is a UniA^ersal Unique Identifier (UUID); 

receiving, in response to the request, the user information located based on the 

subject identifier. 




25. The method of claim 24, further comprising: 



determining, based on the received user inforniation, if the user has 
permission to access the requested object. 



26. The method of claim 24, wherein the user information\ncludes information 
relating to an organization of which the user is a member. 
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^ 27. An information storage management system, comprising: 
a collection of stored objects; 

^an access control unit for determining if a requestor is authorized to access a 
protected^^ject stored in the collection; 

a resoiKj;e manager connected to the access control unit and to a 
conmiunications cMnnel; 

wherein the resource manager receives a user's request for access to the 
protected object, the requek including a globally unique identifier for the user 
requesting the access, and in re^onse to the user's request the resource manager sends 
over the conmiunications channel t\an external storage management system a request 
for information about the user, the requb^t including the globally unique identifier; 
and 

wherein the resource manager upon receiving a response including user 
information about the user passes the user information to the access control unit; and 
based on the user information the access control unit derermines whether to grant the 
subject access to the protected object. 



28. The information storage management system of clairns27, wherein the globally 
unique identifier is a Universal Unique Identifier (UUID), 
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The information storage management system of claim"^7, wherein the user 
information is organization information indicating whether the user is a member of an 
organization. 



30. An infoViation storage management system, comprising: 
a collectiorv^f stored objects; 

an access contrM unit for determining if a requestor is authorized to access a 
protected object stored in the collection; 

a resource manager coi^nected to the access control unit and to a 
conmiunications channel; 

wherein the resource manage^sreceives a user's request for access to the 
protected object, the request including a\lobally unique identifier for the user 
requesting the access, and in response to thesuser's request the resource manager 
resolves the globally unique identifier to an userddentifier recognized by an external 
storage management system; the resource managensending to the external storage 
management system a request for information about th^ user, the request including the 
resolved user identifier; and 

wherein the resource manager upon receiving a response including user 
information about the user passes the user information to the access control unit; and 
based on the user information the access control unit determines v\(hether to grant the 
subject access to the protected object. 
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11. The information storage management system of claim jO, wherein the globally 
unJQue identifier is a Universal Unique Identifier (UUDD). 



32. The information storage management system of clami 30, wherein the user 
informatiori is organization information indicating whether the user is a member of an 
organization. 

33. The information storage management system of clainaVSO, wherein the 
resource manager resolves the globally unique identifier by using a name server. 

34. A method of accessingSa protected object, comprising: 

sending a globally uniqueNdentifier for a user to a name resolving device, and 
receiving therefrom information about the user; and 

sending to a storage managemen\system containing an object a request for 
access to the object, the request including the information about the user. 



35. The method of claim^, wherein the glob\lly unique identifier is a Universal 
Unique Identifier (UUID). 
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31Sv A computer-readable medium of computer-executable code for accessing a 
protected^bject, comprising: 

a first sbt^f computer instructions for sending a globally unique identifier for 
a user to a name resomqg device, and receiving therefrom information about the user; 
and 

a second set of computer insbqctions for sending to a storage management 
system containing an object a request for abcess to the object, the request including 
the information about the user. \ 



37. The computer-readable medium of computer-executable-code of clainr36, 
wherein the globally unique identifier is a Universal Unique Identifier (UUID). 
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